Elections Ontario has just disclosed that they lost USB drives containing personal information on as many as 2.4 million voters. The USB drives were supposed to be password-protected, encoded and kept in a locked area accessible only to specific staffers – but were not. The Ontario Privacy Commissioner, Ann Cavoukian, is investigating. Her initial comment:
I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario — the agency charged with protecting the integrity of our electoral process. . .
It is my expectation that personally identifiable information will not be stored on USB keys, laptops or other mobile devices — full stop. That is the message I have repeatedly given over the years.
This reminds us that:
- A significant proportion of privacy breaches are caused by internal issues – not external hackers or thieves.
- Any device small enough to be carried or lost is a prime candidate for data loss. Avoid keeping personal or sensitive information on them whenever possible, and if you must do it, make sure it is encrypted, and not accessible by a simple password.
- Information security policies are useless if they are not followed.